Let us find out what they are, what they are for and how important they are in UTOPIA – the GDPR software for privacy management.
The Organization is the first section to fill in, a mandatory step to immediately lead the company towards compliance.
An important distinction:
● If you are a professional offering privacy services, the organizations will be your customers
● If you are a company, the organization will be the company itself
In addition to general information such as business name and VAT number, you can also specify if the company operates as a processor. How to determine it?
● Controller: when the company itself decides purposes and methods for processing personal data.
● Processor: when the company processes the data on behalf of a controller and has no "say" in the processing operations it carries out.
● Both figures: many companies are both controller and processor of personal data
Let us give an example – a company that develops and provides personnel management software, for example, could be the data controller for its own employees and the data processor for its customers. The purposes of the processing operations will be different but the organization is the same, and it operates in both ways for separate processing operations.
It can happen that administrative data is managed in one place while commercial data is managed in another, so it becomes very useful to create and differentiate them.
Not to be confused with the privacy organization chart. It is the company organization chart, where we will specify the areas or departments of the company including, but not limited to, the processor.
In this list we will also include all persons authorized to process personal data, i.e. all persons within the organization who process personal data.
After completing the list, you can view it in graphic form and download it as image on your computer.
In this section you will store and upload all of your organization's documentation, such as company policies, internal specifications, guidelines or regulations.
By indicating the release date and version number, you can keep track of all the updates, which is one of the most important – often forgotten –organizational measures.
They are those subjects, not always present, with whom the controller jointly decides the purposes and modes of a processing operation.
For example, it may be the case that two companies organize a competition in synergy: it will be necessary to draw up a joint ownership agreement for the necessary processing operations and make it available, in short form, also to data subjects.
Where the registered office of the controller is outside the European Union, a representative residing in the European state in which the data subjects are present must be appointed.
He is the contact person and may also act as a substitute for the controller in matters relating to processing towards the supervisory authority or the data subjects.
The data processor is a further subject (company, person or service) with the task of assisting the data controller, if the latter deems it appropriate, following an assessment of the complexity and level of risk of the processing activity carried out.
In this section you will see all the persons authorized to process data and any processors that are also system administrators.
To see how to produce the documentation for external system administrators, read this article.
One of the main innovations of the GDPR, the so-called data protection officer. They are a crucial role, always mandatory for the Public Administration and – in some cases – also for private companies. You can read more about them here.
In this section you can add the company's privacy consultants, including the figures who support the controller in the numerous obligations required by the regulation.
These are all the tools used to store personal data, such as lockers, servers, software, PCs and smartphones.
It is essential to track all of them in order to have a complete view of where the processed data physically reside.
Here we are at the end of the first section present in UTOPIA, fundamental to proceed in a guided and facilitated way towards the goal of a “GDPR compliant organization”.